r/aws_s3_bucket: Add bucket_namespace argument

.changelog/46917.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_s3_bucket: Add `bucket_namespace` argument in support of [account regional namespaces for general purpose buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html#account-regional-gp-buckets)
+```

internal/service/s3/bucket.go

@@ -40,6 +40,7 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/internal/retry"
 	tftags "github.com/hashicorp/terraform-provider-aws/internal/tags"
 	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
+	inttypes "github.com/hashicorp/terraform-provider-aws/internal/types"
 	"github.com/hashicorp/terraform-provider-aws/internal/verify"
 	"github.com/hashicorp/terraform-provider-aws/names"
 )
@@ -50,6 +51,13 @@ const (
 	bucketPropagationTimeout = 2 * time.Minute
 )
 
+var (
+	// See https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html#account-regional-naming.
+	// See https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html#region-code-format.
+	// e.g. example-123456789012-us-west-2-an.
+	accountRegionalBucketNameRegex = regexache.MustCompile(`^[a-z0-9-.]+-` + inttypes.CanonicalAccountIDPatternNoAnchors + `-(?:` + inttypes.CanonicalRegionPatternNoAnchors + `)-an$`)
+)
+
 func isGeneralPurposeBucket(bucket string) bool {
 	return bucketNameTypeFor(bucket) == bucketNameTypeGeneralPurposeBucket
 }
@@ -121,6 +129,13 @@ func resourceBucket() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"bucket_namespace": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				Computed:         true,
+				ForceNew:         true,
+				ValidateDiagFunc: enum.Validate[types.BucketNamespace](),
+			},
 			names.AttrBucketPrefix: {
 				Type:          schema.TypeString,
 				Optional:      true,
@@ -727,9 +742,15 @@ func resourceBucketCreate(ctx context.Context, d *schema.ResourceData, meta any)
 	c := meta.(*conns.AWSClient)
 	conn := c.S3Client(ctx)
 
-	bucket := create.Name(ctx, d.Get(names.AttrBucket).(string), d.Get(names.AttrBucketPrefix).(string))
+	ns := types.BucketNamespace(d.Get("bucket_namespace").(string))
+	optFns := []create.NameGeneratorOptionsFunc{create.WithConfiguredName(d.Get(names.AttrBucket).(string)), create.WithConfiguredPrefix(d.Get(names.AttrBucketPrefix).(string))}
+	switch ns {
+	case types.BucketNamespaceAccountRegional:
+		optFns = append(optFns, create.WithSuffix(fmt.Sprintf("-%s-%s-an", c.AccountID(ctx), c.Region(ctx))))
+	}
+	bucket := create.NewNameGenerator(optFns...).Generate(ctx)
 	region := c.Region(ctx)
-	if err := validBucketName(bucket, region); err != nil {
+	if err := validBucketName(bucket, region, ns); err != nil {
 		return sdkdiag.AppendErrorf(diags, "validating S3 Bucket (%s) name: %s", bucket, err)
 	}
 
@@ -755,6 +776,10 @@ func resourceBucketCreate(ctx context.Context, d *schema.ResourceData, meta any)
 		input.ACL = types.BucketCannedACLPrivate
 	}
 
+	if v, ok := d.GetOk("bucket_namespace"); ok {
+		input.BucketNamespace = types.BucketNamespace(v.(string))
+	}
+
 	// See https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html#AmazonS3-CreateBucket-request-LocationConstraint.
 	if region != endpoints.UsEast1RegionID {
 		input.CreateBucketConfiguration = &types.CreateBucketConfiguration{
@@ -837,10 +862,7 @@ func resourceBucketRead(ctx context.Context, d *schema.ResourceData, meta any) d
 		return sdkdiag.AppendErrorf(diags, "reading S3 Bucket (%s): %s", d.Id(), err)
 	}
 
-	d.Set(names.AttrBucket, d.Id())
-	d.Set(names.AttrBucketPrefix, create.NamePrefixFromName(d.Id()))
-
-	resourceBucketFlatten(ctx, meta.(*conns.AWSClient), d.Id(), d)
+	resourceBucketFlatten(ctx, c, d.Id(), d)
 
 	//
 	// Bucket Policy.
@@ -1635,8 +1657,17 @@ func resourceBucketDelete(ctx context.Context, d *schema.ResourceData, meta any)
 
 func resourceBucketFlatten(ctx context.Context, awsClient *conns.AWSClient, bucketName string, d *schema.ResourceData) {
 	d.Set(names.AttrARN, bucketARN(ctx, awsClient, bucketName))
+	d.Set(names.AttrBucket, bucketName)
 	d.Set("bucket_domain_name", awsClient.PartitionHostname(ctx, bucketName+".s3"))
 
+	bucketNamespace := bucketNamespace(bucketName)
+	d.Set("bucket_namespace", bucketNamespace)
+	if bucketNamespace == types.BucketNamespaceAccountRegional {
+		d.Set(names.AttrBucketPrefix, create.NamePrefixFromNameWithSuffix(bucketName, fmt.Sprintf("-%s-%s-an", awsClient.AccountID(ctx), awsClient.Region(ctx))))
+	} else {
+		d.Set(names.AttrBucketPrefix, create.NamePrefixFromName(bucketName))
+	}
+
 	region := awsClient.Region(ctx)
 	d.Set("bucket_regional_domain_name", bucketRegionalDomainName(bucketName, region))
 	if hostedZoneID, err := hostedZoneIDForRegion(region); err == nil {
@@ -1747,6 +1778,13 @@ func bucketWebsiteEndpointAndDomain(bucket, region string) (string, string) {
 	return fmt.Sprintf("%s.%s", bucket, domain), domain
 }
 
+func bucketNamespace(bucket string) types.BucketNamespace {
+	if accountRegionalBucketNameRegex.MatchString(bucket) {
+		return types.BucketNamespaceAccountRegional
+	}
+	return types.BucketNamespaceGlobal
+}
+
 //
 // Bucket CORS Configuration.
 //
@@ -3005,34 +3043,46 @@ func flattenObjectLockConfiguration(apiObject *types.ObjectLockConfiguration) []
 // validBucketName validates any S3 bucket name that is not inside the us-east-1 region.
 // Buckets outside of this region have to be DNS-compliant. After the same restrictions are
 // applied to buckets in the us-east-1 region, this function can be refactored as a SchemaValidateFunc
-func validBucketName(value string, region string) error {
+func validBucketName(bucket, region string, ns types.BucketNamespace) error {
 	if region != endpoints.UsEast1RegionID {
-		if (len(value) < 3) || (len(value) > 63) {
-			return fmt.Errorf("%q must contain from 3 to 63 characters", value)
+		if (len(bucket) < 3) || (len(bucket) > 63) {
+			return fmt.Errorf("%q must contain from 3 to 63 characters", bucket)
 		}
-		if !regexache.MustCompile(`^[0-9a-z-.]+$`).MatchString(value) {
-			return fmt.Errorf("only lowercase alphanumeric characters and hyphens allowed in %q", value)
+		if !regexache.MustCompile(`^[0-9a-z-.]+$`).MatchString(bucket) {
+			return fmt.Errorf("only lowercase alphanumeric characters and hyphens allowed in %q", bucket)
 		}
-		if regexache.MustCompile(`^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$`).MatchString(value) {
-			return fmt.Errorf("%q must not be formatted as an IP address", value)
+		if regexache.MustCompile(`^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$`).MatchString(bucket) {
+			return fmt.Errorf("%q must not be formatted as an IP address", bucket)
 		}
-		if strings.HasPrefix(value, `.`) {
-			return fmt.Errorf("%q cannot start with a period", value)
+		if strings.HasPrefix(bucket, `.`) {
+			return fmt.Errorf("%q cannot start with a period", bucket)
 		}
-		if strings.HasSuffix(value, `.`) {
-			return fmt.Errorf("%q cannot end with a period", value)
+		if strings.HasSuffix(bucket, `.`) {
+			return fmt.Errorf("%q cannot end with a period", bucket)
 		}
-		if strings.Contains(value, `..`) {
-			return fmt.Errorf("%q can be only one period between labels", value)
+		if strings.Contains(bucket, `..`) {
+			return fmt.Errorf("%q can be only one period between labels", bucket)
 		}
 	} else {
-		if len(value) > 255 {
-			return fmt.Errorf("%q must contain less than 256 characters", value)
+		if len(bucket) > 255 {
+			return fmt.Errorf("%q must contain less than 256 characters", bucket)
 		}
-		if !regexache.MustCompile(`^[0-9A-Za-z_.-]+$`).MatchString(value) {
-			return fmt.Errorf("only alphanumeric characters, hyphens, periods, and underscores allowed in %q", value)
+		if !regexache.MustCompile(`^[0-9A-Za-z_.-]+$`).MatchString(bucket) {
+			return fmt.Errorf("only alphanumeric characters, hyphens, periods, and underscores allowed in %q", bucket)
 		}
 	}
+
+	switch ns {
+	case types.BucketNamespaceAccountRegional:
+		if !accountRegionalBucketNameRegex.MatchString(bucket) {
+			return fmt.Errorf("%s is not an account-regional namespace bucket", bucket)
+		}
+	default:
+		if accountRegionalBucketNameRegex.MatchString(bucket) {
+			return fmt.Errorf("%s is an account-regional namespace bucket", bucket)
+		}
+	}
+
 	return nil
 }
 

internal/service/s3/bucket_data_source_test.go

@@ -32,7 +32,7 @@ func TestAccS3BucketDataSource_basic(t *testing.T) {
 				Config: testAccBucketDataSourceConfig_basic(rName),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					resource.TestCheckResourceAttrPair(dataSourceName, names.AttrARN, resourceName, names.AttrARN),
-					testAccCheckBucketDomainName(ctx, dataSourceName, "bucket_domain_name", rName),
+					testAccCheckBucketDomainName(ctx, t, dataSourceName, "bucket_domain_name", rName),
 					resource.TestCheckResourceAttr(dataSourceName, "bucket_region", region),
 					resource.TestCheckResourceAttr(dataSourceName, "bucket_regional_domain_name", testAccBucketRegionalDomainName(rName, region)),
 					resource.TestCheckResourceAttr(dataSourceName, names.AttrHostedZoneID, hostedZoneID),

internal/service/s3/bucket_inventory.go

@@ -9,6 +9,7 @@ import (
 	"context"
 	"fmt"
 	"log"
+	"net/http"
 	"strings"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -225,7 +226,7 @@ func resourceBucketInventoryPut(ctx context.Context, d *schema.ResourceData, met
 		return conn.PutBucketInventoryConfiguration(ctx, input)
 	}, errCodeNoSuchBucket)
 
-	if tfawserr.ErrMessageContains(err, errCodeInvalidArgument, "InventoryConfiguration is not valid, expected CreateBucketConfiguration") {
+	if tfawserr.ErrMessageContains(err, errCodeInvalidArgument, "InventoryConfiguration is not valid, expected CreateBucketConfiguration") || tfawserr.ErrHTTPStatusCodeEquals(err, http.StatusMethodNotAllowed) {
 		err = errDirectoryBucket(err)
 	}
 

internal/service/s3/bucket_list_test.go

@@ -138,7 +138,7 @@ func TestAccS3Bucket_List_includeResource(t *testing.T) {
 						tfquerycheck.KnownValueCheck(tfjsonpath.New(names.AttrARN), tfknownvalue.GlobalARNNoAccountIDExact("s3", rName+"-0")),
 						tfquerycheck.KnownValueCheck(tfjsonpath.New(names.AttrBucket), knownvalue.StringExact(rName+"-0")),
 						tfquerycheck.KnownValueCheck(tfjsonpath.New("bucket_domain_name"), knownvalue.NotNull()),
-						tfquerycheck.KnownValueCheck(tfjsonpath.New(names.AttrBucketPrefix), knownvalue.Null()),
+						tfquerycheck.KnownValueCheck(tfjsonpath.New(names.AttrBucketPrefix), knownvalue.NotNull()),
 						tfquerycheck.KnownValueCheck(tfjsonpath.New("bucket_region"), knownvalue.Null()), // `bucket_region` is redundant
 						tfquerycheck.KnownValueCheck(tfjsonpath.New("bucket_regional_domain_name"), knownvalue.StringExact(testAccBucketRegionalDomainName(rName+"-0", acctest.Region()))),
 						tfquerycheck.KnownValueCheck(tfjsonpath.New(names.AttrForceDestroy), knownvalue.Null()),

internal/service/s3/bucket_replication_configuration.go

@@ -348,10 +348,6 @@ func resourceBucketReplicationConfigurationCreate(ctx context.Context, d *schema
 		return nil
 	})
 
-	if err != nil {
-		return sdkdiag.AppendErrorf(diags, "creating S3 Bucket (%s) Replication Configuration: %s", bucket, err)
-	}
-
 	if tfawserr.ErrMessageContains(err, errCodeInvalidArgument, "ReplicationConfiguration is not valid, expected CreateBucketConfiguration") {
 		err = errDirectoryBucket(err)
 	}